Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

6/14/2012
06:06 PM
50%
50%

Security Startups Focusing On Threats, Not Malware

Stopping malware is so yesterday. Eclectic groups of security people have banded together to make life difficult for attackers

Security consultant Dino Dai Zovi hacked Macs and co-authored a book on how to secure them. Tillmann Werner researched ways to detect the Conficker worm on infected networks and advocated an offensive approach to dealing with the threat. Shawn Henry chased cybercriminals during his 23-year career at the FBI. And Dan Guido teaches at NYU Poly and espouses a "Know Your Attacker" philosophy.

All four have left previous positions and joined startups that are creating services and products that focus on ways to make attacks more painful for the attackers. Rather than continue finding vulnerabilities or pointing out ways attackers can infiltrate networks, groups of well-known researchers are increasingly coming together to find better ways to identify and hinder attackers.

"I think that smart security folks intuitively understand what most large businesses have been learning the hard way -- that most of what the security industry works on has little impact on the ability for attackers to achieve their goals," Guido says.

As attackers become more skilled at quiet, targeted attacks, traditional defenses are failing to catch them. While some security companies, for example, can search their logs of blocked programs for evidence that their products stopped Flame, it took the antivirus industry at least four years to detect the attack.

The lack of success has frustrated a number of researchers, such as Guido. With Dai Zovi and former VMWare researcher Alexander Sotirov, the one-time security consultant and occasional professor created Trail of Bits, a company focused on analyzing attacks and finding the best ways to help its clients defend their networks and data.

[ The White House's first cybersecurity coordinator says it's time for the federal government to begin implementing its blueprints for secure identities and its international strategy for cybersecurity. See Former White House Cybersecurity Czar Calls For Security Action. ]

Similar reasons drove George Kurtz to start up CrowdStrike with Dmitri Alperovitch, former vice president of threat research at McAfee, and Gregg Marston, formerly of Foundstone, a company Kurtz co-founded in the late '90s. There is still a lot of work to be done, but CrowdStrike is developing the ability to help companies understand who is attacking them and why they are being targeted so that they can martial their defenses around those actual threats, Kurtz says. Companies are tired of trying to keep up with the large number of threats that may be targeting them.

"There is only so many fingers that they can put into the dike, and they want to know who is in their network and how to get them out of the network," Kurtz says. "They want to understand what they are ultimately after. By switching from a focus on ... malware to moving toward figuring out who is attacking and how they are doing it, you can basically put up better defenses."

As part of the company's team of researchers, CrowdStrike hired Werner Tillman, who created a way of identifying Conficker infected computers and then advocated more aggressive tactics in taking down the botnet.

Both companies are investing in creating intelligence on threats to better inform their clients' defenses. And both companies hope that doing so will help companies drop out of the rat race of trying to keep up with attackers' ability to change their code. The fact that the firms exist and have attracted a bevy of smart researchers is likely due to the high level of frustration among defenders aimed at the unending success of attackers. Such frustration led Shawn Henry -- recently the executive assistant director of the Criminal, Cyber, Response, and Services Branch of the FBI -- to head up CrowdStrike's services branch.

"The problem with existing technologies and threat-mitigation tactics is they are too focused on adversary tools -- malware and exploits -- and not on who the adversary is and how they operate," Henry stated in written testimony (PDF) to the U.S. House Subcommittee on Homeland Security in April. "Ultimately, until we focus on the enemy and take the fight to them to raise their cost of attack, we will fail because they will always get thorough."

Companies have enough information to understand attackers and gain better information on the threats to their business, but lack the tools to turn that data into a strategy for stopping attackers, Guido says.

"In reality, data on attackers is widely available in published security industry reports, but many organizations have trouble interpreting this data and making it actionable," he says. "The difficulty in achieving this vision will be in making the knowledge and tools to perform this analysis widespread."

Trail of Bits intends to focus on measurable data on security and threats, allowing firms not only to to create better defenses, but also measure their success against the attackers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Bprince
50%
50%
Bprince,
User Rank: Ninja
6/16/2012 | 11:31:26 PM
re: Security Startups Focusing On Threats, Not Malware
There is always going to be malware that slips through, and I agree new approaches may be needed. Still, anti-malware technologies will always be part of the bag of tricks.
Brian Prince, InformationWeek/Dark Reading Comment Moderator
macker490
50%
50%
macker490,
User Rank: Ninja
6/16/2012 | 11:45:48 AM
re: Security Startups Focusing On Threats, Not Malware
="Stopping malware is so yesterday."

technically that is an argumentum ad antiquitatem-- a classic logic fallacy.

malware remains the main problem

COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.